Hard to believe that BH and DEFCON are only 2 months away. In gearing up for the annual trek to Sin City, here's a cool expose on the SE CtF. I'm sure this will generate some questions on your end. Please ask away as Chris would be happy to answer what he can.

I want you to picture this scene: It is a warm day in sunny Maryland, my phone rings. I answer it.

Me – “Chris speaking…”Voice – “Hello Sir, this is Special Agent Smith (name changed) from the FBI, I would like to speak to you about this social engineering contest…”Me – “Nice Dave, not falling for it. Good try sucker!”Voice – “Sir, I already mentioned my name is Special Agent Smith, not Dave. It is important that we…Me – “Blah, Blah Blah.. right Dave. You are always trying to get me. Nice one, almost sounds real. Later loser…” Moments after the phone was hung up it rings again…Me – “Hello?”Voice – “I would ask that you listen sir and do not hang up. Call me back at this number… And ask for Special Agent Smith.”

This was the birth of the very first Social-Engineer.Org’s Social Engineering Capture the Flag Contest (SE CtF) at DEFCON over 2 years ago.

Its not necessarily stupidity that is the flaw but the need to be helpful. You can get very intelligent people to disclose information if you know how to work the discussion. If you can get the mark to relate to you or vice versa, then you develop a sort of bond that makes them feel they could trust you. You are essentially finding exploits in humans as you would find in applications. The only real patch to this is education and awareness. In the case of the CtF, better classification of company information as well as educating the employees would probably help reduce the numbers show in the report. Eventually a good SE will find the proper way to pull the information they require.

For instance reading the DEFCON 18 report and looking at the flags, I figured to get something like "On Site Wireless" and "ESSID" I could pose as a new employee at a remote site (provided the target has remote sites). Use the pretext that I am at my new office but no company phone has been installed so I am reduced to my cell phone to make all my calls. Then lead into "they didn't even set my laptop up all the way..." and proceed to ask for Wireless information. Giving the mark signs of stress and frustration, they may think, hey I was new once and man I feel for this guys...

Knowing all this about SE, I think back to my earlier years in IT and wonder if I may have fallen for these tactics ever. I am sure I may have since I tend to like being helpful. But now-a-days I am much more aware.